How to solve "certificate verify failed" on Windows?

Question

I am trying to use signet for OAuth to Google services. And get this error:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Following these questions:

Seems the solution is either to fix ca_path or to ~~set VERIFY_NONE for SSL~~.

The ca_path fix posted only works on Linux (port install) and the fix for VERIFY_NONE seems to be for faraday.

Is there a solution for Windows/signet gem?

I'm having the same issue, only with the `paypal_adaptive` gem. Anyone find an answer? — wulftone, May 09 '11 at 22:35
The problem seems to persist, and I've never seen a real explanation of what is happening, despise the many hacks and patches that exist. A simple lay-person's explanation would go a long way to helping everyone. — Nuby, May 10 '11 at 18:55
I solved it by stopping to use signet and using just the ruby OAuth gem directly — mbdev, May 12 '11 at 07:04
Just an FYI, we were connecting to a 3rd party server temporarily that had certificate issues so we had to use `IO.copy_stream( open( url, { ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE } ), download_path )` to just disable the SSL verification. In our case, security wasn't an issue, the server was out of our control and it was a temporary solution. — Joshua Pinter, Jun 04 '20 at 17:31

score 192 · Accepted Answer · edited Jan 22 '17 at 23:36

192

Actually the best way I found to solve this in windows for Ruby itself, not just one gem, is to do the following:

Download https://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem. Make sure you save it as a .pem file, rather than a text file.
Go to your Computer -> Advanced Settings -> Environment Variables
Create a new System Variable:

Variable: SSL_CERT_FILE Value: C:\RailsInstaller\cacert.pem
Close all your command prompts, including your Rails server command prompt, etc.

Start a new ruby irb prompt, and try the following:

$irb>require 'open-uri'
$irb>open('https://www.gmail.com')

It should all work now just fine.

edited Jan 22 '17 at 23:36

Daniel Stenberg

54,736
17
146
222

answered Apr 21 '13 at 18:18

SomeDudeSomewhere

3,928
1
23
27

1

why are we poening gmail.com? – ahnbizcad Sep 27 '14 at 20:52
When you go into irb, it's usually within the context of an app. Does it matter which one you do it in? Do you have to do it for each app every time? Anyhow, it worked for the app that I typed this into. – ahnbizcad Sep 27 '14 at 21:01
2

FYI when I was working with `librarian-chef` which downloads chef cookbooks, I needed this cert that comes with Chef instead: `C:/opscode/chefdk/embedded/ssl/certs/cacert.pem` – nebffa Dec 31 '14 at 11:54
1

For windows users ensure file saved as "cacert.pem" and not "cacert.pem.txt". Also followed the [Workaround RubyGems' SSL errors on Ruby for Windows (RubyInstaller)](https://gist.github.com/luislavena/f064211759ee0f806c88) – Sudarsan GP Jan 24 '15 at 14:01
Being that I only installed ruby/gems to install sass, this option worked well for me. thanks. – skift Feb 20 '15 at 21:23
14

Don't do this. Installing a randomly certificate, downloaded over HTTP (not HTTPS), as a fully trusted root certificate is just asking for trouble. Never mind that the library suggested later in the answer is also known for being insecure. – Matthew Schinckel Mar 25 '15 at 10:29
@MatthewSchinckel What is a better solution? – Aarmora Mar 17 '16 at 20:17
I don't have a better solution. I'm just saying this is a bad solution. – Matthew Schinckel Mar 18 '16 at 12:39
2

@DevDude This solution was working a few months ago. After a recent Windows update for me both my Desktop and Laptop this doesn't work anymore =/ Any ideas? – Ka Mok Aug 12 '16 at 02:06
Best solution as it let the code free of any Windows specificity. – Alain ANDRE Dec 14 '16 at 09:50
Or you can add `set SSL_CERT_FILE=C:\RailsInstaller\cacert.pem` to your PATH using regedit. – desbest Jan 18 '17 at 13:31

score 28 · Answer 2 · edited Mar 28 '16 at 21:18

Solution for Windows, which I cobbled together from a few different answers:

Download https://curl.haxx.se/ca/cacert.pem and put it in YOUR_APP/lib/assets (or wherever)

In config/initializers/omniauth.rb:

 #config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, CUSTOMER_KEY, CUSTOMER_SECRET, {client_options: {ssl: {ca_file: Rails.root.join('lib/assets/cacert.pem').to_s}}}
end

Obviously, restart your server.

Footnotes: You might be able to cut out a lot of the unnecessary certificates in the cacert.pem file to reduce the size. If you only need this solution for development, you could save the file outside of your project and do a if Rails.env.development? _provider line with the client_options hash_ else _provider line without client_options hash_ end

Downloading a certificate over HTTP is a terrible idea. – Mattie Mar 26 '15 at 21:03 — Mattie, Mar 26 '15 at 21:03

score 21 · Answer 3 · edited May 22 '16 at 19:51

21

After too much searching and wasted time, I found a very simple solution to fix this issue in Ruby with Windows.

Two simple steps:

In command prompt write: C:\gem install certified
In your rb file add: require 'certified'

That's it.

edited May 22 '16 at 19:51

J0e3gan

8,740
10
53
80

answered May 22 '16 at 19:26

Abdelrahman Farag

389
2
9

1

You sir, are a champ! Note, you should use the `certified-update.bat` file once in a while to keep the certificate up to date. – Jun 03 '16 at 18:11
Ruby noob here - when you say "In your `rb` file", what exact file are you referring to? Would this be the `boot.rb` file? – jbyrd May 20 '20 at 18:22
I mean with your ruby file or your script with extension rb, it should including the following line : require 'certified' – Abdelrahman Farag Feb 17 '21 at 00:38

score 9 · Answer 4 · answered Jan 02 '15 at 02:42

9

Updating the rubygems package management framework solved this issue for me on Windows 7.

https://rubygems.org/pages/download

gem update --system          # may need to be administrator or root

answered Jan 02 '15 at 02:42

Aaron Robertson

111
1
5

This solved it for me on Windows 8.1. Had gem version 1.8.28 and upgraded to 2.4.5 (ruby 1.9.2). – Ciryon Jan 04 '15 at 08:20

score 9 · Answer 5 · edited Mar 25 '15 at 10:31

9

yes, I've set the omniouth.rb file in the initializers folder to this:

provider :facebook, FACEBOOK_KEY, FACEBOOK_SECRET, {:client_options => {:ssl => {:verify => false}}}

and this seems to work fine now. But don't use this for production.

edited Mar 25 '15 at 10:31

Matthew Schinckel

35,041
6
86
121

answered May 21 '11 at 11:17

Tom

195
2

2

I appreciate the "don't use this in production" but I feel like it should be in all caps, highlighted, repeated, emphasized, and reiterated. Given the answer below, I feel like this answer should be deleted. – oreoshake Jan 23 '15 at 01:30

score 5 · Answer 6 · answered Oct 28 '16 at 07:12

5

Using the http:// URL instead of https:// make this easier to you

Change the gem source to http://rubygems.org/ by using the following line of command on your ruby command line

gem sources -a http://rubygems.org/

answered Oct 28 '16 at 07:12

nifCody

2,394
3
34
54

score 2 · Answer 7 · answered Dec 20 '14 at 20:27

2

Adding onto DevDude's solution, but using Windows Powershell:

Download http://curl.haxx.se/ca/cacert.pem into c:\railsinstaller\cacert.pem

At the powershell prompt:

$env:SSL_CERT_FILE = 'c:\RailsInstaller\cacert.pem'

I was then able to run gem update successfully

Note: you can simply define that environment variable in your profile notepad $profile

answered Dec 20 '14 at 20:27

df2k2

178
6

2

Downloading a certificate _not_ over SSL is opening yourself up for a MITM attack. – Matthew Schinckel Mar 25 '15 at 10:24

score 2 · Answer 8 · answered Oct 21 '16 at 21:53

Go to the rubygems-update download page: https://rubygems.org/gems/rubygems-update

Click on the Download link, and you'll download a file called rubygems-update-2.6.7.gem. At the command line, navigate to the directory you downloaded the .gem file to and type:

gem install rubygems-update-2.6.7.gem

(or whatever the filename was, if a newer version)

Then type:

update_rubygems

You can verify it's updated with:

gem --version

score 1 · Answer 9 · answered Jan 04 '17 at 17:30

I had this error whilst trying to setup rails 5 on a windows machine, turns out I had to update the rubygem version to 2.6.7 and then it worked.

step 1 download rubygem from below

https://rubygems.org/downloads/rubygems-update-2.6.7.gem

step 2 - install by pointing to downloaded rubygems

gem install --local C:\rubygems-update-2.6.7.gem

step 3 - check new version is 2.6.7

gem --version

step 4 - now safely un-install rubygems-update gem

gem uninstall rubygems-update -x

step 5 tried to install rails 5 again

gem install rails --version 5.0.0

worked like a charm!

I got info from: http://guides.rubygems.org/ssl-certificate-update/#installing-using-update-packages

score 0 · Answer 10 · answered Mar 03 '16 at 18:35

I was able to eliminate the PATH or SYSTEM VARIABLE setting mentioned above by importing the certificate as a Trusted Authority.

Invoke certmgr.msc
Right-click the Trusted Root Certificate Authority folder.
Select "All Tasks"
Select "Import"
Select All Files in file type dropdown and select the cacert.pem file.
You should receive a message "Import Successful"

score 0 · Answer 11 · answered Oct 16 '16 at 13:44

0

I believe the correct answer is to update your gem installer: rubygems-update. The explanation for why this is needed is found at: Ssl Certificate Updates

answered Oct 16 '16 at 13:44

FatherShawn

211
2
8

score 0 · Answer 12 · answered Nov 22 '16 at 08:22

0

save your cacert.pmp file from https://curl.haxx.se/ca/cacert.pem and then add this file to location yourruby-installation folder\lib\ruby\2.3.0\rubygems\ssl_certs

for example:C:\Ruby23\lib\ruby\2.3.0\rubygems\ssl_certs

answered Nov 22 '16 at 08:22

nikbe28

77
6

score 0 · Answer 13 · answered Jan 20 '17 at 16:32

This helped me: https://coderwall.com/p/ubl6iw/fix-ssl_connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificate-verify-failed-openssl-ssl-sslerror My ruby on rails project is posting data to an api internally, and it cannot verify the internal certificate. These lines helped:

require 'https'

http = Net::HTTP.new('example.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.cert_store.add_file('/path/to/internal.cert.pem')

Hope this can help.

score 0 · Answer 14 · answered Mar 06 '17 at 17:18

0

I was also facing this issue when I installed older ruby versions. When I installed the latest Ruby version this problem went away. So basically the SSL certificate needed to be updated.

answered Mar 06 '17 at 17:18

kishor.j

223
3
7

score -3 · Answer 15 · answered Nov 18 '14 at 06:50

-3

For people who are using rails 4.

Add this in devise.rb

require "omniauth-google-oauth2"
config.omniauth :google_oauth2, "CLIENT_ID", "CLIENT_SECRET", { access_type: "offline", approval_prompt: "", :client_options => {:ssl => {:verify => false}} }

answered Nov 18 '14 at 06:50

Priyanko

318
1
5
13

2

`{:ssl => {:verify => false}}` is not the solution, it just creates another problem. – oreoshake Jan 23 '15 at 01:31

How to solve "certificate verify failed" on Windows?

15 Answers15

Linked